On May 11, 2017, President Trump signed an executive order requiring a comprehensive review of the federal government’s cybersecurity risk management policies and procedures (the “Order”). The Order also calls for a review of the adequacy of the federal cybersecurity support provided to operators of critical infrastructure, and an assessment of whether current education policies are sufficient to develop a robust cybersecurity workforce.
The Order is notable for its emphasis on the electric power industry. While the Order addresses generally the importance of cybersecurity across all critical infrastructure sectors, it specifically calls out the security of the electric grid as an early area of focus and prioritization for the new Administration. In particular, the Order requires the Secretary of Energy, in consultation with security agencies and state and local governments, to assess “the potential scope and duration of a prolonged power outage associated with a significant cyber incident . . . against the United States electric subsector,” “the readiness of the United States to manage the consequences of such an incident,” and any “shortcomings in assets or capabilities required to mitigate the consequences of such an incident,” and to issue a report of its assessment within 90 days. (Order, Section 2(e)-(f)).
While the Order does not impose any direct requirements on energy industry participants, we anticipate that energy sector regulators may respond with accelerated attention to the cybersecurity of regulated entities. For example, the Department of Energy, the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), and the Department of Homeland Security may engage industry participants in information gathering processes, such as technical conferences or formal requests for information, in developing their recommendations. The Order’s emphasis on readiness and mitigation also suggests regulators will be strongly interested in the industry’s cyber incident response plans, and whether companies are sufficiently practiced in running through “war game” exercises to prepare for disruption scenarios. Ultimately, these agency reviews could lead to future rulemaking proceedings leading in turn to new regulations aimed at strengthening the security of the power grid.
More broadly the order also requires federal agencies to engage with all critical infrastructure entities identified pursuant to a 2013 executive order as being the most vulnerable to cyber attacks, and to identify improvements to support their cybersecurity processes. (Order, Section 2(b)(i)). This provision is a reminder of the importance that the Administration will attach to the cybersecurity of owners and operators of, for example, oil and gas pipelines and oilfield drilling and services. It will be important for companies to consider reviewing their cybersecurity postures, to conduct regular cybersecurity assessments, and to update their cybersecurity and incident response policies and procedures.
As internet connectivity increasingly becomes integrated into the energy sector’s operational technology, cybersecurity risk will grow, and change in its nature. Threats from nation-states and terrorist actors suggest that this Administration will likely continue its focus on enhancing cybersecurity in order to protect the nation’s energy industry.
In conclusion, the comprehensive review this Order requires may trigger a significant response at agencies regulating the electric power, gas, and oil industries. We will closely monitor any developments and will provide additional updates on issues affecting the power industry and opportunities to participate in any related proceedings so that your organization’s interests are protected.