This article provides an overview of federal and state cybersecurity regulations for the energy sector. It emphasizes the importance of protecting critical energy infrastructure from cyberattacks, as well as the role of state leaders in addressing cybersecurity risks. The article also presents information on regulatory authorities and rules that govern the electricity sector and pipeline owners and operators.
The increasing number of cyber attacks targeting energy infrastructure represent a significant threat to the United States. The Colonial Pipeline ransomware attack in May 2021 caused fuel shortages and consumer panic, highlighting the potential consequences of such attacks on daily life, public safety, and the economy .
In 2023, President Biden unveiled the National Cybersecurity Strategy, which aims to protect critical infrastructure from cyberattacks. Governors are encouraged to adopt state cybersecurity standards to protect critical energy infrastructure. As leaders of their states, governors are ultimately responsible for preparing for and responding to energy emergencies. This resource guide is intended to provide an overview of federal and state cybersecurity regulations in the energy sector.
The Critical Infrastructure Protection (CIP) Standards of the North American Electric Reliability Corporation (NERC) govern the cybersecurity standards for the bulk power system in the United States. NERC is responsible for developing and enforcing mandatory reliability standards in the United States, Canada, and parts of Mexico. The NERC CIP Standards cover various areas such as system categorization, security management controls, personnel and training, electronic security perimeters, physical security, incident reporting and response planning, among others.
State-level authorities primarily manage cybersecurity standards for the distribution system. Public utility commissions regulate rates and services of electric and gas companies, including jurisdiction over reliability in the face of physical and cyber incidents. These commissions can review the cybersecurity practices of utilities and require them to report significant cybersecurity breaches that affect electricity demand. Electric utilities and rural electric cooperatives may be subject to self-regulation, and their cybersecurity capabilities differ.
For pipeline owners and operators, cybersecurity regulations are administered by the Department of Homeland Security’s Transportation Security Administration (TSA). Mandatory cybersecurity rules were issued in 2021 and updated in 2022. These rules require pipeline owners to report cybersecurity incidents, appoint a Cybersecurity Coordinator, review current practice, identifying gaps, and reporting remedial measures.
The article also provides additional resources from the National Governors Association (NGA) and other organizations to learn more about energy cybersecurity.
In conclusion, it is important to protect critical energy infrastructure from cyber attacks. Federal and state cybersecurity regulations play an important role in ensuring the stability of the energy sector. The adoption and implementation of these standards is essential to protect against cyber threats and minimize potential disruptions in the energy supply chain.