Earlier today, the Senate Energy and Natural Resources unanimously approved the "Grid Cyber Security Act", a somewhat amended version of the bill it approved last session but was never brought to the Senate floor for a vote.  The bill now goes to Senate Majority Leader Harry Reid, who may opt to fold it into a more comprehensive cybersecurity bill he hopes to bring to the Floor later this summer. 

Meanwhile, the House Subcommittee on Energy and Power of the Energy and Commerce Committee plans a hearing next Tuesday, May 31, on its own version of the bill whose language is based on the GRID Act passed unanimously last year by the House.

Under the provisions of the Senate bill, FERC jurisdiction would be expanded to include distribution in addition to generation and transmission systems and assets deemed "critical electric infrastructure [CEI]," defned as "so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety."

Within 120 days of enactment, FERC is directed to review current standards to determine their adequacy to mitigate cyber vulnerabilities.  Due in part to criticisms that the NERC CIP standards setting process is too slow, the bill would impose a 180 day deadline for NERC to propose revisions to those standards that FERC finds wanting, or develop a new standard to address new vulnerabilities identified by FERC.  Reasonable time extensions will be granted, but the bill is silent on penalities if the deadline is not met.

The original draft of the bill would have allowed FERC to circumvent the NERC standards setting process by issuing "interim final orders" without stakeholder input.  This provision was deleted from the final approved version, we believe due to the insistence of Ranking Minority Member Lisa Murkowski. The new procedure outlined above does allow for FERC to continually review NERC standards for adequacy and order revisions accordingly, in effect creating a rolling standards process and regulatory uncertainty for asset owners.

Moreover, FERC can require NERC to develop and issue temporary  emergency orders to mitigate specific cyber security vulnerabilities if FERC deems that immediate action is necessary.  This provision was designed to address Aurora-type incidents, where NERC issued numerous advisories but could not require any utility to take the  recommended action to mitigate that vulnerability.

In addition, the Secretary of Energy can order immediate measures to protect CEI from a cyber security threat, with or without notice.  The measure sunsets after 90 days unless made final or rescinded in the meantime.  "Public utilities" will be allowed to recover costs associated with implementing those measures, under a mechanism to be established by FERC. 

Security clearances for those who "need to know" will be expedited.  Electric utilities that serve defense facilities in Alaska, Hawaii or Guam must develop emergency plans to protect the reliability of the power supply to those facilities. 

And finally, DOE and the national labs are directed to assess and report on the susceptibility of CEI to EMPs and geomagnetic disturbances, using a risk management, cost-benefit analysis.

Stay tuned for a report on the hearing of the House committee next week.