Issue in Brief: The House of Representatives passed two bills aimed at mitigating cybersecurity threats to critical infrastructure that would, if passed, expand the Department of Energy’s (DOE) regulatory authority in this area. In addition, the Transportation Security Administration (TSA) issued a second set of directives for owners and operators of pipelines that transport liquids and natural gas. This new directive requires TSA-designated critical pipelines to implement specific mitigation measures, develop a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.
Key Takeaway: Enhancing cybersecurity for critical infrastructure remains at the forefront of lawmakers’ focus, and operators of critical infrastructure across industries should expect more legal requirements imposed upon them in the near future.
On the Horizon: If the bills are passed by the Senate and signed into law by President Biden, the DOE will have enhanced responsibilities in addressing cyber threats, coupled with the authority to develop public-private partnerships to create more robust cybersecurity protections. In addition, owners and operators of pipelines transporting liquid and natural gas should prepare to implement heightened security requirements that the new directive imposes.
On July 19, 2021, in two bipartisan votes, the House of Representatives passed H.R. 3119, the Energy Emergency Leadership Act, and H.R. 2931, the Enhancing Grid Security through Public-Private Partnerships Act. These bills now move to the Senate for debate.
H.R. 3119, the Emergency Energy Leadership Act, is designed to reorganize the DOE by elevating energy emergencies and infrastructure cybersecurity as key functions of the DOE, and creating a new Assistant Secretary position to focus solely on these issues. The bill was passed as a response to recent malware and ransomware attacks to various critical infrastructure facilities.
H.R. 2931, the Enhancing Grid Security through Public-Private Partnerships Act, is a bit more robust than H.R. 3119, and provides explicit directives to the DOE Secretary with respect to cybersecurity. Specifically, the Enhancing Grid Security through Public-Private Partnerships Act requires the Department Secretary to enhance protection for electric utilities against physical and cyber threats by:
(1) developing, and providing for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;
(2) providing training to electric utilities to address and mitigate cybersecurity supply chain management risks;
(3) increasing opportunities for sharing best practices and data collection within the electric sector;
(4) assisting with cybersecurity training for electric utilities;
(5) advancing the cybersecurity of third-party vendors that work in partnerships with electric utilities; and
(6) providing technical assistance for electric utilities subject to the program.
See Enhancing Grid Security through Public-Private Partnerships Act, H.R. 2931, 117th Cong. § 1 (2021). If passed, the Act would further require the Energy Secretary to submit reports to Congress on the development and progress of the above initiatives.
The July 2020 Pipeline Directive
The TSA developed this recent directive in conjunction with the Cybersecurity and Infrastructure Security Agency. It applies to owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas and focuses on technical countermeasures to protect against ransomware attacks and other threats to internal control systems, such as malware. The directive also contains measures to develop and implement cybersecurity contingency and recovery plans and conduct cybersecurity design reviews. Because of the sensitive nature of pipeline cybersecurity measures, the details of the directive have not been released to the public.
These bills and the TSA directive are demonstrative of the increased focus on cybersecurity for our nation’s critical infrastructure. Unlike the TSA directive, which does impose substantive legal requirements on owners and operators of pipelines transporting liquids or natural gas, neither of the bills impose substantive legal requirements on owners or operators of critical infrastructure facilities—rather, they both serve to expand and delineate specific duties that DOE has in the realm of cybersecurity for critical infrastructure. That said, assuming the Senate passes these bills, owners and operators of critical infrastructure facilities beyond pipelines should expect to see specific legal requirements imposed in the not-too-distant future.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 700 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.