This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.

Federal regulators are taking notice. On December 7, the Federal Energy Regulatory Commission (FERC) and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) held a joint technical conference to discuss supply chain risk management in light of increasing threats to the Bulk Power System. Multiple government participants identified the possible need to normalize the use of software bill of materials and hardware bill of materials in the electric industry. Several days later, FERC directed the North American Electric Reliability Corporation (NERC) to re-examine its Physical Security Reliability Standard, CIP-014-1. Congress, for its part, responded to growing cybersecurity threats to energy infrastructure by increasing CESER’s budget by almost 7.5% in the recent omnibus appropriations bill and appropriating $20 million for the Cyber Testing for Resilient Industrial Control Systems program.

Cybersecurity attacks on distributed energy resources (DERs) including electric vehicles are also proliferating. In its recent report, Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid, CESER identified the cybersecurity threat to DER operators, vendors, developers, owners and aggregators as posing a significant and growing risk. The Department of Energy will also soon release a report, mandated by Congress in the Infrastructure Investment and Jobs Act, identifying policies and procedures for enhancing the physical and cybersecurity of distributed resources and the electric distribution system.

The recent physical and cybersecurity incidents targeting critical infrastructure have exposed significant vulnerabilities of some companies, and both customers and the federal government are pushing the private sector to mitigate those threats as a condition for doing business.  The federal government, in particular, expects their private sector partners to adopt better security hygiene, assess supply chain risks, and prepare for quick responses to incidents, including rapid notifications to customers, regulators and the public.  Here are some best practices for energy sector companies to have on their radar for 2023:

  • Compliance with NERC’s Critical Infrastructure Protection (CIP) Standards. Violations of applicable NERC CIP reliability standards subject users, owners and operators of bulk power system facilities to civil penalties of up to $1,496,035 per violation, per day.
  • Comprehensive Assessments of Key IT and OT Systems. Conducting comprehensive assessments of current and potential system vulnerabilities is a leading cybersecurity industry practice that energy sector companies may consider adopting. They can do so by, for example, engaging in regular inventory of Information Technology and Operational Technology systems, including by assessing patch management processes, performing information security and physical risk assessments, and documenting and regularly reviewing system security plans and related operational documents.
  • Clear Roles and Responsibilities. Establishing clear cybersecurity-related roles and responsibilities can help position the enterprise to respond efficiently and effectively to cyber risk, for example by ensuring that corporate executives, the legal team, and key personnel such as the as the Chief Information Security Officer, the Chief Information Officer, the Chief Compliance Officer, and the Chief Privacy Officer are on notice of their respective roles and have clear guidance as to their duties both during “business as usual” operations and in the event that a potential cybersecurity incident occurs. 
  • Cybersecurity Incident Response Plans. Developing a cybersecurity Incident Response Plan (or “IRP”) is a leading cybersecurity industry practice and may even be a regulatory requirement for certain companies. IRPs are “playbooks” that are developed prior to a cybersecurity incident occurring to provide guidance for responsible stakeholders to respond to a potential incident and guide the company through that response in an organized and effective way.  IRPs typically include key components, such as individuals’ and teams’ roles and responsibilities, contact lists, details about the internal escalation process (e.g., regarding notifications to government entities), and guideposts for technical teams.  Companies may supplement their IRPs with supporting materials, for example check lists for key executives and personnel, and take steps to integrate their IRPs with other related policies, such as all-hazards crisis management plans and communications plans.
  • Cybersecurity Tabletop Exercises. Tabletop exercises are simulations designed to test a company’s response to a potential cybersecurity incident and application of their Incident Response Plan.  These exercises are often facilitated by counsel and conducted under privilege.  Notably, the Ponemon Institute, in a report issued by IBM Security, reported that companies that had incident response teams and tested their Plans with tabletop exercises or simulations incurred an average of $2.66 million less in data breach-related costs than those that did not. 
  • Supply Chain Risk Mitigation. A company’s supply chain can heighten exposure to cyber threats, including data leaks, supply chain breaches, and malware attacks; however, strategies to mitigate these risks are available, for example implementing protocols to continually assess and monitor third-party risk, understanding and controlling who has access to the company’s most valuable and sensitive data, and ensuring that third-party contracts include cybersecurity requirements.  The federal government has acknowledged the importance of addressing such supply chain risk, and 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, and a 2022 OMB Memorandum both impose standards on governmental entities for the security and integrity of the software supply chain, and also require third-party software suppliers to comply with standards issued by the National Institute of Standards and Technology whenever their software is used on government information systems or affects government information, including that shared with government contractors.
  • Information Sharing Opportunities. Last March, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requiring critical infrastructure to report significant cyber incidents and ransomware payments to the Cybersecurity & Infrastructure Security Agency (CISA) within tight time frames.  Although CISA has not yet promulgated the rules to implement CIRCIA, it has provided stakeholders with guidance about sharing cyber event information that emphasized the importance of information sharing to our collective defense and for strengthening cybersecurity for the nation. In addition to federally mandated information sharing requirements, companies may also consider sharing information in a trusted setting, including with their Information Sharing and Analysis Centers (ISACs). 

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Tyler A. O'Connor Tyler A. O'Connor

Tyler O’Connor is an energy litigator and public policy leader in Crowell & Moring’s Washington, D.C. office, where he represents clients in the courts, in arbitration forums, and before federal agencies.

Prior to joining Crowell, Tyler served as the Energy Counsel to the…

Tyler O’Connor is an energy litigator and public policy leader in Crowell & Moring’s Washington, D.C. office, where he represents clients in the courts, in arbitration forums, and before federal agencies.

Prior to joining Crowell, Tyler served as the Energy Counsel to the House Energy and Commerce Committee, where he played a leading role in drafting the Inflation Reduction Act (IRA) and Infrastructure Investment and Jobs Act (IIJA). He was the lead House lawyer responsible for the Federal Power Act and Natural Gas Act and worked extensively on transmission, energy cybersecurity, and energy supply chain issues. His work brought him into frequent contact with senior administration officials, including at the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC), as well as congressional leadership. As the staffer responsible for emerging technologies, including hydrogen and offshore wind, as well as the Loan Programs Office, Tyler has been at the center of energy policy discussions.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Matthew B. Welling Matthew B. Welling

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling…

Matthew B. Welling is a partner in Crowell & Moring’s Washington, D.C. office, where he practices in the firm’s Privacy & Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.