Tale of two smart-grid bills

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Bills now before the House Homeland Security and Energy and Commerce Committees take different approaches toward regulating and strengthening the security of the electric grid against cyberattack.

House legislators have introduced at least two bills to revamp security regulation of the nation’s power grid.

Officials at the Federal Energy Regulatory Commission, which is responsible for regulating the power grid, have complained that current laws do not allow timely, flexible security standards and leaves the grid vulnerable to cyberattack in a quickly evolving, increasingly networked environment.

H.R. 2165, the Bulk Power System Protection Act of 2009, was introduced April 29 by Rep. John Barrow (D-Ga.).  H.R. 2195 was introduced April 30 by House Homeland Security Committee chairman Bennie Thompson (D-Miss). Sen. Joseph Lieberman (I-Conn.) introduced a companion bill to Thompson's legislation, S. 946, April 30.

The House bills are similar, but a comparison of the two by the Homeland Security Committee highlights their differences.

The Homeland Security Department's role:

H.R. 2165 does not specify a role for DHS.

H.R. 2195 requires DHS to assess cyber vulnerabilities or threats to electric infrastructure and recommend ways to mitigate them. It also would play the lead role in identifying threats or vulnerabilities that require immediate protective actions. DHS plays a major role in control system cybersecurity, funding the Control Systems Security Program at the Energy Department’s Idaho National Laboratory at $25 million a year.

Scope:

H.R. 2165 covers the bulk power system, defined in the Federal Power Act as generation and high voltage transmission systems, but does not include distribution substations and lower voltage networks that distribute electricity to customers. Alaska, Hawaii, and Guam are specifically excluded from reliability regulations, as are many major cities, such as New York and Washington.

H.R. 2195 covers all critical electric infrastructure, defined in the legislation as generation, transmission, distribution and metering infrastructure.

Standards to protect against current vulnerabilities:

H.R. 2165 requires FERC, in consultation with Mexico and Canada, to establish measures to protect against specific vulnerabilities and related remote access issues. FERC may issue orders to grid operators to incorporate these measures, subject to notice and comment, until the North American Electric Reliability Corp., a standards-setting body, adopts mandatory standards that replace interim FERC orders.

H.R. 2195 requires FERC, in consultation with DHS, to supplement cybersecurity standards determined to be inadequate against vulnerabilities or threats. Subsequent NERC measures can replace those standards.

Orders for future threats:

Under H.R. 2165, a written directive from the president that a cyberattack is pending will require FERC to issue emergency orders within 30 days to owners, users and operators of the bulk power system or any regional entity. This emergency order would be discontinued if the president, the secretary of Energy or FERC finds that the threat no longer is imminent; when a replacement standard is adopted; or after one year, if the threat has not been reaffirmed.

H.R. 2195 requires DHS to perform ongoing vulnerability and threat assessments to critical electric infrastructure and recommend mitigations to FERC. FERC may issue mitigation orders if it finds that a threat is imminent. These orders apply to any owner or operator of generation, transmission, distribution or metering systems and are effective for 90 days unless continued by FERC.

Protection of information:

H.R. 2165 requires FERC to issue rules and procedures for protecting unclassified sensitive cybersecurity information from disclosure. These rules would not prevent FERC from disclosing this information on a need-to-know basis. The bill contains a list of requirements for handling this information.

H.R. 2195 uses the Homeland Security Act’s “Protected Critical Infrastructure Information Program” to protect information and exempt information submitted to FERC from the Freedom of Information Act and state and local disclosure laws.

Providing assistance to industry:

H.R. 2165 requires the Energy secretary to establish a program to develop expertise in electric grid cybersecurity within industry.

H.R. 2195 has no similar provision, although the Homeland Security Committee might argue that an existing DHS program to secure control systems should be expanded rather than re-established at DOE.

Defense facilities:

H.R. 2165 requires Alaska, Hawaii and Guam to prepare plans to protect facilities providing electricity to defense facilities from imminent cyberattack. The definition of bulk power system does not include those states and territories.

H.R. 2195 would cover those assets without a specific provision. The bill also would cover cities such as New York and Washington, which are also outside the scope of the Bulk Power System.

NEXT STORY: DOE, NIST aim to secure smart grid

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.