Critical infrastructure
Industry
News
Regulation, Standards and Compliance
Utilities: Energy & Power, Water, Waste

New bill directs FERC to develop energy pipeline reliability, cybersecurity standards

December 03, 2021
energy pipeline

A new bill was introduced in the U.S. House of Representatives that would direct the Federal Energy Regulatory Commission (FERC) to create a new, stakeholder-driven entity responsible for developing energy pipeline reliability and cybersecurity standards. 

The bill calls upon the FERC to certify an energy product reliability organization that shall, subject to the Commission’s review, establish and enforce energy product reliability standards, and for other purposes. The energy product reliability organization will be required to consult with the administrator of the Transportation Security Administration (TSA) and the Secretary of Energy in developing energy product reliability standards relating to cybersecurity for energy pipelines. 

The bill will be taken up by the House Committee on Energy and Commerce’s Energy Subcommittee at a hybrid legislative hearing next Tuesday.

The legislation, titled, ‘Energy Product Reliability Act,’ was introduced by U.S. Senator Bobby L. Rush, a Democrat from Illinois and chair of the Energy Subcommittee.

The Act states that the energy product reliability organization shall, at a minimum, establish energy product reliability standards relating to cybersecurity, including protocols for the reporting of cybersecurity incidents, physical security, and coordination of delivery and availability of energy products. This will help ensure reliable electricity generation, including electricity generation that is needed to maintain electric transmission system reliability. 

The provisions of the Act describe a ‘cybersecurity incident’ as a malicious act or suspicious event that disrupts or attempts to disrupt the operation of programmable electronic devices and communication networks, including hardware, software, and data, that are essential to the reliable delivery of an energy product through an energy pipeline. 

Within two years of the date of enactment of the Act, the FERC shall certify an energy product reliability organization that has the ability to develop and enforce energy product reliability standards; and establish rules that ensure its independence from the users, owners, and operators of energy pipelines, according to the legislation. The organization will help ensure fair stakeholder representation in the selection of its directors and balanced decision-making in any energy product reliability organization committee or subordinate organizational structure.

The Act also provides for the protection of information with “any notice of enforcement or record pertaining to a violation of an energy product reliability standard relating to cybersecurity submitted to the Commission shall be deemed to be critical electric infrastructure information (as defined in section 215A of the Federal Power Act (16 U.S.C. 824o–1).”  Currently, energy pipeline and their infrastructure are not subject to mandatory standards that ensure end-users can depend on a reliable supply of energy.

“It is long past time that we had enforceable reliability standards for energy pipelines, just as we do for the electric grid,” Rush said in a media statement. “The Energy Product Reliability Act is a necessary and prudent response to the devastation from the Texas winter storm and other recent weather and cybersecurity disasters that have highlighted the dire need for standards for our fuel system. All Americans deserve reliable access to energy, and the Energy Product Reliability Act will help deliver on that promise.”

Senator Rush’s bill comes at the same time as concerns being raised about the security of the critical electric sector by a public interest researcher, Michael Mabee, who has conducted investigations on the security of the critical electric sector. He said last month that the presence of Chinese transformer threats has now been confirmed by the administrations of two U.S. Presidents – Donald Trump and Joe Biden.

Pointing that no government agency has the authority to mandate that the electric grid protect itself from known threats, Mabee said that “protection is voluntary for the majority of the electric and inadequate and self-regulated in the bulk power system.”

In September, another cybersecurity expert, Joe Weiss, asked the FERC to direct the North American Electric Reliability Corporation (NERC) to conduct a comprehensive survey of all registered entities in the bulk power systems (BPS) to determine what Chinese equipment or systems are currently in use in the BPS, and how they are being used. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings