Electrical Infrastructure Security Legislation

Anyone that has been reading the newspapers lately should certainly be aware of the fact that US intelligence agencies believe that they have found evidence of penetration of control systems used in the production and distribution of electrical energy in the United States. Many feel that there is inadequate legal authority to address this apparent vulnerability. The chairs of the House and Senate Homeland Security Committees made the first step to correct that legal shortcoming last Thursday when they introduced identical bills in the House (HR 2195) and the Senate (S 946). According to a joint press release, the bill would be known as the Critical Electric Infrastructure Protection Act (CEIPA). CEIPA Objectives These bills would provide the Federal Energy Regulation Commission (FERC) with specific legal authority to regulate security of critical electric infrastructure. It would bring any “any entity that owns, controls, or operates critical electric infrastructure” {§224a(e)} under the jurisdiction of FERC for purposes of these security provisions. Additionally, FERC is given the responsibility for determining what “systems and assets, whether physical or cyber used for the generation, transmission, distribution or metering of electric energy…. are so vital to the United States that the incapacity or destruction of such systems and assets, either alone or in combination with the failure of other assets, would cause significant harm to the security, national or regional economic security, or national or regional public health or safety” {§224a(a)(1)}. As an interim measure the bills would require FERC, within 120 days of passage, prepare regulations, to “protect against known cyber vulnerabilities or threats to the reliable operation of the critical electric infrastructure in the United States” {§224b(a)}. These regulations would be developed in ‘consultation’ with DHS and would “supplement, replace, or modify cybersecurity reliability standards” already in place. Additionally the bills would require to the Department of Homeland Security to conduct an ongoing assessment of the “cyber vulnerabilities or threats to critical infrastructure, including critical electric infrastructure and advanced metering infrastructure” {sec 224(b)(1)}. The results would be reported to FERC and Congress and would be used to formulate rules and regulations to deal with the vulnerabilities and or threats uncovered. Affect on High-Risk Chemical Facilities The most obvious effect on high-risk chemical facilities will come from the DHS review of cyber threats to ‘critical infrastructure’. High-risk chemical facilities will certainly be included in that review. While we have yet to see the final Risk-Based Performance Standards Guidance document, the draft version of that documents provided little guidance on control system security. A serious review of control system vulnerabilities should certainly result in increased emphasis on the security of these critical systems under CFATS. It is unlikely that DHS will complete such a review prior to site security plan (SSP) submissions by most currently identified high-risk chemical facilities. DHS could certainly require facilities to re-look at cyber security after the review is completed and revisions are made to the SSP tool and RBPS Guidance document. This legislation does not, however, currently propose to change the §550 prohibition of DHS requiring any prescriptive security measures as a pre-requisite of the approval of site security plans. Clear identification of cyber security risks will help many facilities increase their security, but without a modification of this prohibition most facilities will not undergo the detailed system reviews that will be required to truly secure these systems. As more chemical facilities turn to adding co-generation capabilities to their operations there is the possibility that their facilities may come under the FERC control of their electrical generation systems. Facilities that do not return power to the grid are unlikely to be affected, but as micro-generation becomes more important to the grid, co-generation facilities that send excess electricity to the grid are likely to be controlled to some extent by FERC regulations