“The bill was reported from the committee unanimously, so obviously the bill has strong bipartisan support from a committee that’s pretty diverse,” Democratic Senate Energy and Natural Resources Committee Senior Director Bob Simon said after Tuesday's hearing. “But the Senate is sometimes even more diverse.”
Republicans have favored expanding protections for information sharing to bolster critical infrastructure cybersecurity, but strongly oppose adding regulatory measures and enforcements.
Sen. Lisa Murkowksi (R-Alaska), the ranking Republican on the Energy panel, threw her support behind the GOP's Secure It Act, which would strengthen information sharing mechanisms.
“I don’t think granting federal regulators broad new powers is the right approach,” Murkowski said in her opening remarks. “Instead, we need a much more nimble approach to deal with cyber-related threats that are constantly growing and constantly changing.”
Bingaman’s bill would give FERC the authority to require the North American Electric Reliability Corporation (NERC) to take emergency action to defend the power grid from cyber attacks. FERC would then rescind those temporary orders after the emergency, or when a cybersecurity standard addressing that vulnerability emerges.
FERC would also be able to designate certain distribution utilities as critical to the network, which would give the NERC new authority to regulate those utilities.
Currently, NERC can only enforce standards on transmission-level utilities, meaning those that own and operate transmission lines that carry bulk power from generating plants to electrical substations.
The Department of Energy also would gain emergency powers to force entities under FERC jurisdiction to take actions protecting the grid from cyber attack.
The bill attempts to settle jurisdictional conflicts that have bogged down attempts to construct a national cybersecurity regulatory framework for the electric grid.
The Energy Policy Act of 2005 forced FERC to choose an “electric reliability organization” that would draft cybersecurity standards governing electric utilities that own and operate transmission-level assets, meaning the lines that carry bulk power from generating plants to electric substations.
FERC chose NERC for that responsibility, and the relationship between the two agencies has been rocky ever since.
NERC moves too slowly to draft effective cybersecurity standards, FERC has often said. The two agencies are dependent upon each other because FERC cannot propose its own cybersecurity standards — it can only approve or suggest recommendations to the ones NERC puts forth.
Bingaman's bill would let FERC force NERC into revising standards it deemed inadequate, setting a six-month deadline for submitting new standards proposals.
NERC President and CEO Gerry Cauley said the organization has focused much of its efforts on boosting information-sharing capabilities. Giving utilities a sense of what is happening in the cybersecurity landscape is essential to helping them protect their systems, he said.
— This story was updated at 1:39 p.m.