Amendments to S 2012 – 02-02-16

Yesterday there were 47 amendments proposed for S 2012, the Energy Policy Modernization Act of 2015. Of those, three may be of specific interest to readers of this blog:

SA 3186. Mrs. FISCHER (R,NE), pg S493;

SA 3196. Mr. KIRK (R,IL), pg S501;

SA 3197. Ms. COLLINS (R,ME), pg S501;

OSHA Retail Facility Exemption

Fisher’s amendment would stop the Occupational Health and Safety Administration (OSHA) from changing the way it interprets which facilities are exempted from the Process Safety Management Standards (PSM) on the basis of being a ‘retail facility’. OSHA announced their narrowing of the interpretation of the term ‘retail facility’ last July. This amendment would stop any enforcement actions on the new definition until a rulemaking was completed establishing the new definition.

Large Scale Cyber Incidents

The Kirk amendment would establish ‘large scale cyber incident’ as an incident that could be covered under the disaster relief provisions of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 USC 5121 et seq). It specifically adds the words ‘cyber incident’ to the definition of ‘major disaster’ {§5122(2)}.

The amendment would add a new definition for the term “cyber incident” {new §5122(14)} which would be defined as:

“Actions taken against critical infrastructure through the use of computer networks that result in a significant adverse effect on the provision of essential services {as described in §5189e(a)(1)} which:

“Lasts for a period of more than 24-hours; and

“Affects the provision of essential services in more than 1 State.”

The term ‘essential services’ in the current law means any entity that is contributing to efforts to respond to an emergency or major disaster and provides {§5189e(a)}:

• Telecommunications service;

• Electrical power;

• Natural gas;

• Water and sewer services; or

• Any other essential service, as determined by the President.

Critical Electric Infrastructure at Greatest Risk

The Collins amendment would define ‘critical electric infrastructure’ as “a system or asset of the bulk-power system, whether physical or virtual, the incapacity or destruction of which would negatively affect national security, economic security, public health or safety, or any combination of those matters” {new §225(a)(2)}. It then goes on to define ‘covered entity’ as a critical infrastructure entity under EO 13636, §9(a).

The amendment then requires FERC and the DOE Secretary to:

“Identify and propose prioritized, risk-based actions to mitigate cyber risk for each covered entity such that, to the greatest extent practicable, a cyber security incident affecting that covered entity would be less likely to result in catastrophic regional or national effects on public health or safety, economic security, or national security, given current and projected cyber risks” {new §225(b)(2)}.

As to be expected reports to congress are required on the identified cyber security incidents and proposed mitigation measures.

Moving Forward

It is now looking like there will be a cloture vote on the substitute language on Thursday. This means that there will be a cut off for submission of new amendments to that language this afternoon.

The Fisher amendment is partisan in nature and neither she nor any of her co-sponsors are on the Energy and Natural Resources Committee. I would be surprised if this makes the short list of amendments that will make it to the floor. If it does get to the floor it will probably not get the 60 votes normally needed for passage during the amendment process.

The Kirk amendment is relatively non-partisan, but Kirk is not on the Energy and Natural Resources Committee. This is an iffy amendment for the purposes of making it to the floor for consideration, but if it does make it to the floor, it will probably get the 60 votes for passage.

The Collins amendment is relatively non-partisan and Sen. Collins is a senior and influential member of the Senate. This amendment has a good chance of getting considered and would almost certainly get the 60 votes necessary for adoption if it does make it to the floor.

Commentary

The two cybersecurity amendments introduced yesterday are very limited in scope. While the Kirk amendment does include cyber incidents in disaster relief coverage it only does so with respect to incidents that happen coincidentally to other disasters. The wording does not even allow the cyber incident to be caused by the coincidental disaster.

The Collins amendment would provide less restrictions on its coverage, but it provides very wide latitude in what FERC and DOE designate as a cyber risk and how it would be mitigated. There is no reason to expect that FERC will be any more aggressive with defining those risk and mitigation measures than they are now.