- Following the SolarWinds and Colonial Pipeline hacks, U.S. House lawmakers have reintroduced a series of bipartisan bills to strengthen the security of the energy sector, including a measure encouraging coordination between the Department of Energy and electric utilities.
- Colonial, the largest mover of gasoline on the east coast, on Thursday said it had restarted its pipeline system following a ransomware attack that forced it to halt deliveries and led to gas shortages in some regions.
- Energy lawyers say securing the grid must be a shared responsibility between industry and the federal government, and note the bipartisan nature of the proposals should not be overlooked.
The fallout from the Colonial pipeline hack is still being assessed, but experts say it appears lawmakers understand the severity of the threat and are moving quickly.
"One of the most promising signs is that legislators are working with their colleagues across the aisle to identify solutions to the cybersecurity issues electric utilities face," Howard Goldberg, a partner at Manning Gross + Massenburg, said in an email.
The House Energy and Commerce Committee has reintroduced several bipartisan bills to address threats to critical infrastructure.
On Wednesday, lawmakers reintroduced the Pipeline and LNG Facility Cybersecurity Preparedness Act, which aims to strengthen DOE's ability to address physical and cybersecurity threats to that infrastructure. They also reintroduced the Energy Emergency Leadership Act, which would place cybersecurity as a core function of DOE.
Four lawmakers, including House Energy and Commerce Committee Chairman Frank Pallone Jr., D-N.J., issued a bipartisan statement noting the "ripple effects" of the Colonial attack are "sharp reminders of just how deeply we all rely upon our energy infrastructure every day, and just how crucial it is that we invest in modernizing and protecting it."
Reps. Cathy McMorris Rodgers, R-Wash.; Bobby Rush, D-Ill.; and Fred Upton, R-Mich., also signed on to the statement.
On April 30, the committee also reintroduced the Cyber Sense Act, to strengthen the country's electric grid through federal-private coordination. And on the same day, lawmakers also reintroduced the Enhancing Grid Security through Public Private Partnerships Act, which would direct DOE to provide training to electric utilities to "address and mitigate cybersecurity supply chain management risks," among other steps to secure the grid.
Several of these bills were passed in the previous session of Congress but not acted on by the Senate.
The partnership between private industry and the government that lawmakers seek to leverage is "key to the nation's cyber defenses," Michael Bahar, litigation partner at Eversheds Sutherland, said in an email. Bahar was the former deputy legal advisor to the National Security Council at the White House under President Obama, and helped lead the development of the Cybersecurity Act of 2015.
Congress recognized the importance of the public-private partnership when it passed the 2015 law, said Bahar, and facilitated information sharing "by granting liability protection and antitrust protections for the sharing of cyber threat indicators and defensive measures ... It also greatly facilitated the exchange of vital threat information between the Government and the private sector."
The reintroduced legislation doesn't put any one entity in charge, but "is about making sure that cybersecurity is a top priority for all," Bahar said. "Government has a strong role to play domestically in allocating sufficient resources, ensuring meaningful information sharing, conveying the message of the importance of cybersecurity, and in coordinating prevention and response."
The fact that the bills are bipartisan "is not to be understated," he added.
Goldberg said the government should play a role in addressing cybersecurity concerns, but added that "industry stakeholders and business leaders must also work proactively within their organizations to ensure that their utilities are protected."
"The government's assistance in responding to future cyberattacks should be welcomed, but electric utilities must first focus on preventing the attacks in the first instance," he said.
The Edison Electric Institute did not indicate if it supported the House bills, but stressed its partnership with the government in protecting electric reliability.
"We work across the sector and with our government partners to share actionable intelligence and prepare to respond to incidents that could affect our ability to provide electricity safely and reliably," Scott Aaronson, EEI vice president for security and preparedness, said in a statement.