S 3688 – Energy Infrastructure Security – Security Assistance to Energy Infrastructure

This is the third in a series of posts about the introduction of S 3688, the Energy Infrastructure Protection Act of 2020. The earlier posts in the series were:

S 3688 Introduced – Energy Infrastructure Security

S 3688 – Energy Infrastructure Security – CEII Changes

FERC Assistance

The bill would add §232, Authority of the commission to offer assistance to owners and operators of energy infrastructure to the Federal Power Act. The new section would allow the Commission, upon request, to assist an ‘eligible entity’ by {§232(b)}:

• By reviewing the configuration of the assets of the eligible entity against threats,

• By reviewing the capability of the eligible entity to operate its assets after attacks on those assets,

• By providing information about methods and tools that owners and operators of energy infrastructure may use to defend assets against threats,

• By providing information regarding other resources that may be available to assist the eligible entity, and

• By reviewing data and other assets in the possession of the eligible entity for evidence that the data or other asset has been tampered with; or otherwise been the subject of threat activity.

The term ‘eligible entity’ is defined as {§232(a)}:

• An authority of a State, political subdivision, or Indian Tribe,

• A Transmission Organization,

• An electric utility,

• A natural-gas company,

• An oil pipeline, and

• Any other owner or operator of energy infrastructure

Paragraph (c) directs that any information collected or created by FERC in providing assistance under this section will be treated as if were Critical Electrical Infrastructure Information (CEII). If the information providing organization consents to release of the information, FERC is authorized to share the information with {§232(c)(2)(A)}:

• The Electric Reliability Organization;
• A regional entity;
• An information sharing and analysis center; or
• An authority of a State, political subdivision, or Indian Tribe that is involved in protecting energy infrastructure from threats.

FERC would be allowed to require advanced authorization to share the information with the organizations described above as a prerequisite to providing assistance under this section. Additionally, FERC is authorized to share any information with other Federal agencies under the condition that those agencies protect the information as CEII.

Paragraph (d) allows a requesting entity to withdraw their request for assistance form FERC. Upon receipt of such a request will terminate its actions and return information provided by the requestor to the requestor.

Paragraph (e) prevents FERC from using information provided for the purposes of obtaining assistance “as a basis for any order, rule, opinion, or decision of the Commission” {§232(e)(1)}.

DOE Assistance

The bill would add §233, Authority of the secretary to offer assistance to owners and operators of energy infrastructure, to the Federal Power Act. Many of the provisions from §232 are duplicated in this section. There are some additional provisions found in §233.

In paragraph (b) two new items are added to the areas for which DOE can provide assistance to eligible entities (same definition for that term as in §232):

• By monitoring sensor data and other information flows of the eligible entity, and

• By testing equipment and other assets of the eligible entity.

Paragraph (c) has no counterpart in §232; it requires DOE to carry out a program of research to “gather information about the tools and methods that have been used to penetrate or defend any eligible entity or industrial control systems” {§232(c)(1)}. This would include tools or techniques developed by DHS, DOD, any other Federal agency or “any eligible entity”. The research would be directed to developing a plan “to ensure that the Federal Government has access to energy infrastructure during a time of war or national crisis” {§232(c)(2)} as well as a plan for “the response of the Secretary in the event that owners and operators of energy infrastructure are attacked” {§232(c)(3)}.

The remaining provisions of this section contain the same language found in §232.

Again, we have reached a reasonable stopping point for today’s post.