2

I. BackgroundConcern for homeland security has grown exponentially in the United States since the terrorist attacks in September of 2001. 9/11 revealed the vulnerabilities facing the United States’ domestic population and civilian infrastructure, and has since led policymakers, security officials, and law enforcement to reorient their approaches to risk analysis. This is not only true for physical security, but for cybersecurity as well. As our economy, security infrastructure, and personal lives all become increasingly digitalized, so do the security threats we face.

Cybersecurity has risen to the top of the list of priorities in both the public and private sectors. The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) both place the risk of a cyber attack as one of the most likely, and most crippling, in the near future.1 Consequently, every industry and business has faced increasing regulation and internal policy to protect against cyber risks. Both state actors, like Russia and North Korea, and non state actors, like Islamist extremist terrorists and ‘hacktivists,’ have demonstrated a willingness and ability to target civilian energy facilities.2

Security experts and legislators have become increasingly concerned with the resilience of the energy grid. The grid powers our homes, commercial enterprise, and America’s national security infrastructure. The significant economic and

1 https://www.cbsnews.com/news/christopher wray mike pompeo dan coats testify on worldwide threats live stream/ 2 https://www.chathamhouse.org/sites/default/files/field/field document/20151005CyberSecurityNuclearBaylonBruntLivingstoneUpdate.pdf 3 https://www.ifri.org/sites/default/files/atoms/files/barichella cybersecurity energy sector 2018.pdf

security implications of a cyber attack on the energy grid have led lawmakers and oversight agencies in Washington to seek greater cybersecurity regulations, either through voluntary measures or through legislation, resulting in the current web of requirements. This has clearly created a difficult situation for private companies, which are forced to wade through overlapping laws, policies and guidance to ensure that their systems are well protected and implementing the latest security features.

II. On the Books: Existing Cybersecurity Regulation and Oversight In particular, the energy industry is subject to substantial oversight, with several major laws, executive orders, court cases, and government agencies impacting the oversight environment. This current framework facing the energy sector began with the Energy Policy Act in 2005, and additional policies have been revised or added every few years since. Below are the key authorities regulating the cybersecurity of critical infrastructure, including the energy sector. Please note, that some passed laws or executive orders may supersede older versions, but are included to demonstrate the breadth of authorities impacting the cybersecurity facing critical infrastructure.3

The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) both place the risk of a cyber attack as one of the most likely, and most crippling, in the near future.”

“

One helpful current framework is the Transportation Security Administration’s (TSA) oversight on natural gas pipelines’ cybersecurity capabilities. The TSA’s existing voluntary guidelines – instead of a prescriptive approach – has allowed the private sector to adapt rapidly to evolving cyber threats.”

“

3

Federal Statutes, Court Decisions, Executive Action, Policy, and other Authorities

TitleDate Enacted/

Published

FEDERAL STATUTES

The Foundations for Evidence-Based Policymaking Act January 2019

Cybersecurity and Infrastructure Security Agency Act November 2018

Strengthening State and Local Cyber Crime Fighting Act November 2017

Cybersecurity Information Sharing Act (CISA) December 2015

Cyber Security Enhancement Act December 2014

National Cybersecurity Protection Act December 2014

Homeland Security Cybersecurity Workforce Assessment Act December 2014

Federal Information Security Modernization Act December 2014

RECENT EXECUTIVE ACTION AND POLICY

National Cyber Strategy September 2018

Department of Defense Cyber Strategy September 2018

Department of Energy Cybersecurity Strategy June 2018

Department of Homeland Security Cybersecurity Strategy May 2018

Executive Order 13833: Enhancing the Effectiveness of Agency Chief Information Officers

May 2018

Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

May 2017

Executive Order 13757: Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities

December 2016

Presidential Policy Directive 41: U.S. Cyber Incident Coordination and Annex July 2016

REPORTS

U.S. NSTAC Cybersecurity Recommendations sent to White House for Action November 2018

CRS: Cybersecurity: Legislation, Hearings, and Executive Branch Documents November 2018

GAO Report: Urgent Actions are Needed to Address Cybersecurity Challenges Facing the Nation

September 2018

OMB Report: Federal Cybersecurity Risk Determination Report and Action Plan May 2018

CRS: Cybersecurity: Selected Issues for the 115 h Congress March 2018

4

Federal Statutes, Court Decisions, Executive Action, Policy, and other Authorities

TitleDate Enacted/

Published

REPORTS (CONTINUED)

GAO Report: Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices

September 2017

CRS: Overview of DHS Efforts to Secure Federal Networks March 2017

GAO Report: Actions Needed to Strengthen U.S. Capabilities February 2017

CRS: Cybersecurity Issues and Challenges August 2016

GAO Report: Information Security DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Security Protection System

January 2016

State of the States on Cybersecurity November 2015

OMB Report: Cybersecurity Strategy and Implementation Plan October 2015

GAO Report: Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies

July 2015

Cyberspace Policy Review May 2009

As the table above clearly lays out, the myriad of authorities, which is not just laws, but also recommendations, Executive Orders, court cases and more, create a complex environment in which it’s difficult for energy operators to stay up to date. A recent MIT report recommends two actions (among several others) that could demonstrably improve industry cybersecurity:

1. Improve critical infrastructure defense coordination. Through the workshops used to produce this report, the team at MIT found that there is a sincere lack of coordination for cybersecurity across the federal government. The above table demonstrates this vividly, and is expanded on below.

2. Review laws and regulations to reduce risk and improve security. By talking to four key critical infrastructure industries, it was determined that there is a sense that current regulation prioritizes compliance, not actually implementing best in class security processes.4

4 https://internetpolicy.mit.edu/reports/Report IPRI CIS CriticalInfrastructure 2017 Brenner.pdf

The first recommendation is already being worked on as the Cybersecurity and Infrastructure Security Agency becomes operational at the Department of Homeland Security and through the National Risk Management Center, which seeks to improve the private public sector coordination surrounding national security risks. However, the second recommendation should be heeded and furthermore, the current efficacy of voluntary guidelines should be examined as well. Several industries already implemented the NIST Cybersecurity Framework, and have proven successful in increasing their cybersecurity by doing so. Furthermore, instead of adding to the regulatory burden, the voluntary guidelines provide best practices and, in some cases, industry specific solutions. Between greater coordination and increased implementation of voluntary guidelines, the industry can remain resilient against cyber threats.

5

III. Existing Regulatory AgenciesEnergy companies must grapple with the complex legal requirements from Congress and overlapping oversight from a variety of federal departments. Multiple agencies spread across the Departments of Homeland Security, Energy, and Commerce have responsibility over cybersecurity in the energy industry, making the already complex task of compliance even more complicated. Below is a summary of the major governmental stakeholders, and their role in energy sector cybersecurity.

U.S. Department of Homeland SecurityDHS is the primary agency responsible for the homeland security of the United States and has the responsibility to coordinate preparedness efforts across industries and governments in the United States. Consequently, the cybersecurity of critical infrastructure, including the energy grid, falls directly under its authority. To carry out this mission, DHS has developed a variety of rules, plans, and subsidiary agencies which affect how the energy sector secures its digital networks. First, DHS developed the “Energy Sector Specific Plan” in 2015, a set of objectives and risk priorities established as a part of its overall effort to secure American critical infrastructure.5 Among other things, the plan sets goals for research and development and dictates which threats are likely the most pressing across the electricity, and oil and natural gas sectors. Second, the department released its “2018 Cybersecurity Strategy” in May of this year. The third goal listed in the document is to “Protect Critical Infrastructure,” including the energy grid.6 This document carries its own separate set of objectives and priorities which the energy sector is subject to.

5 https://www.dhs.gov/sites/default/files/publications/nipp ssp energy 2015 508.pdf 6 https://www.dhs.gov/sites/default/files/publications/DHS Cybersecurity Strategy 1.pdf 7 https://www.us cert.gov/about us 8 https://www.dhs.gov/cisa/about cisa 9 https://www.dhs.gov/cisa/national risk management cent

Additionally, DHS has subsidiary bodies which have specific oversight responsibilities for the energy industry. The Computer Emergency Readiness Team (CERT) is tasked with bolstering cyber resilience in the United States in general, while also monitoring and responding to specific cyber risks or attacks.7 The Transportation Security Administration (TSA) also has a role in protecting the cybersecurity of energy companies. Additional information regarding the TSA’s role in cybersecurity can be found below.

Finally, in November 2018, President Trump signed a bill creating the Cybersecurity and Infrastructure Security Agency (CISA) within DHS. This provides greater authority and allocates more resources to what was formerly the National Protection and Programs Directorate (NPPD). It sets the groundwork for an increased cybersecurity role for DHS, specifically regarding critical infrastructure.8 Within this revised DHS component exists subsidiary groups with further specified oversight roles, including the Cybersecurity Division, Infrastructure Security Division, and National Risk Management Center. One of the latter office’s highest statutory priorities is the Pipeline Cybersecurity Initiative, which will urge an “in depth review and evaluation” of potential vulnerabilities in pipeline systems.9 Clearly, DHS has a significant and growing role in regulating energy cybersecurity. However, the Department of Energy (DOE) is also designated as the sector specific agency in the field.

DHS Assistant Secretary Jeanette Manfra, stated in November: ‘I don’t think a regulatory framework is going to solve this particular challenge.’ Rather, the speed and complexity of the changing cybersecurity environment entreat the government to allow the private sector flexibility in facing the threats they face every day.”

“

6

Transportation Security AdministrationThrough its role as a component of DHS, the Transportation Security Administration (TSA) is vested with the responsibility to provide oversight of our nation’s vast network of pipelines. As a part of this mandate, TSA is tasked with ensuring both the physical and digital security of these pipelines. In March 2018, TSA released an updated set of “Pipeline Security Guidelines,” outlining how pipeline operators must secure their physical and digital networks in order to protect them against cyber attacks.10

Even though the recommendations found in the report are not binding on energy companies, nearly all have implemented measures greater than those detailed in the report. For example, the enhanced security measures suggested by the report recommend that companies participate in annual security exercises. Many energy companies already do this. Just over a year ago, several representatives of the natural gas industry took part in the North American Electric Reliability Corporation’s GridEx IV training exercises. The event was a two day exercise

10 https://www.tsa.gov/sites/default/files/pipeline security guidelines.pdf 11 http://www.eei.org/resourcesandmedia/newsroom/Pages/Press%20Releases/MoreThan6000%20ElectricCompanyandGovernmentOfficialsTestedEn

ergyGridSecurityDuringGridExIVExercise.aspx 12 https://www.energy.senate.gov/public/index.cfm?a files.serve&File id ECD424B6 9837 4F1C BF0A 4FA2BE0FA20313 https://www.gao.gov/products/GAO 19 48

that used simulated attacks on the power grid to gauge cyber readiness.11 By participating in these types of training sessions, energy companies are already testing their capabilities and identifying their weaknesses.

This is just one of many examples of the private sector surpassing federal regulations in the area of cyber resilience. However, this has not stopped some lawmakers from urging DHS to potentially recommend more rigorous TSA regulations.12 A recent Government Accountability Office (GAO) report identified a shortage of cybersecurity workforce personnel to provide proper oversight of the pipelines.13 It should therefore be a priority of Congress to resolve the cybersecurity workforce problems through providing enhanced appropriations resources, not through more prescriptive TSA regulations. Since the natural gas pipeline industry has repeatedly demonstrated its commitment to cybersecurity and resilience, greater regulation would only cause further inefficiencies and further exacerbate the resource gap faced by TSA.

Just over a year ago, several representatives of the natural gas industry took part in the North American Electric Reliability Corporation’s GridEx IV training exercises. The event was a two-day exercise that used simulated attacks on the power grid to gauge cyber readiness. By participating in these types of training sessions, energy companies are already testing their capabilities and identifying their weaknesses.”

“

It should therefore be a priority of Congress to resolve the cybersecurity workforce problems through providing enhanced appropriations resources, not through more prescriptive TSA regulations. Since the natural gas pipeline industry has repeatedly demonstrated its commitment to cybersecurity and resilience, greater regulation would only cause further inefficiencies and further exacerbate the resource gap faced by TSA.”

“

7

U.S. Department of EnergyThe Department of Energy ensures America’s security and prosperity by addressing its energy, environmental and nuclear challenges through transformative science and technology solutions. This includes its grid resilience and its cyber readiness. In March 2018, DOE’s Office of Electricity Delivery and Energy Reliability released the “Multiyear Plan for Energy Sector Cybersecurity.” As with the Department of Homeland Security’s various documents, this plan sets out its own set of specific objectives, partnerships, strategies, and risk analyses.14 While the goals set forth by DOE are similar to those of DHS, they differ in that DHS is focused on identifying and eliminating threats, while DOE emphasizes better research and development (R&D) and response to cyber incidents. DOE is also responsible for ensuring energy grid resilience, which includes protecting against cyber threats that endanger the vitality of the grid.

The Federal Energy Regulatory Commission (FERC) is also tasked with oversight of energy grid resilience. According to their website, the Energy Policy Act granted FERC the authority “to oversee the reliability of the bulk power system, commonly referred to as the bulk electric system or the power grid. This includes the authority to approve mandatory cybersecurity reliability standards.”15 Just this year, Congress approved the creation of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) within DOE. This new agency will also have the authority to enforce cybersecurity standards on the private sector, as it is responsible for “the Department of Energy’s emergency preparedness and coordinated response to disruptions to the energy sector, including physical and cyber attacks…”16

14 https://www.energy.gov/sites/prod/files/2018/05/f51/DOE%20Multiyear%20Plan%20for%20Energy%20Sector%20Cybersecurity%20 0.pdf 15 https://www.ferc.gov/industries/electric/indus act/reliability/cybersecurity.asp 16 https://www.energy.gov/ceser/ceser mission 17 https://www.nist.gov/cyberframework

U.S. Department of CommerceFinally, the National Institute of Standards and Technology (NIST), under the authority and direction of the Department of Commerce, releases a seminal and regularly updated cybersecurity framework for the private sector as a whole. While a voluntary document, it is a respected and comprehensive source of best practices and standards.17 NIST provides updates to the framework and serves the important role of setting industry standards that other agencies are likely to enforce. However, as important as the NIST Cybersecurity Framework is, it further demonstrates the complex web of stakeholders that the energy industry is beholden to, and shows the various layers of cybersecurity standards and regulations the energy industry must follow.

Collaboration Between AgenciesAs noted above, coordination across the federal government for cybersecurity has been lacking. However, there are attempts to coordinate between the several agencies responsible for regulating the cybersecurity of the energy industry. The Departments of Homeland Security and Energy are ultimately responsible for ensuring the various agencies under their guidance are not sending conflicting messages to the private sector. Additionally, department wide protocols, like DHS’s 2018 Cybersecurity Strategy, govern the policies put forth by subsidiary bodies. Rules set forth by TSA and CERT are, should at least in theory, coherent with one another.

8

Interagency collaboration is more difficult to determine. While DHS has the ultimate responsibility for protecting American companies from cyber attacks, they often work through other agencies with more “sector specific” expertise, including designating DOE as the sector specific agency for the energy industry. Additionally, when DOE developed its cybersecurity strategy in 2018, it reviewed over “25 guiding documents” from across the U.S. government to ensure a coherent framework is being established.18 According to Assistant Secretary of Homeland Security Jeanette Manfra, in testimony to Congress in November 2018, DHS and DOE work together to ensure that each department is not wasting resources on the same issues, however she did not mention any specific framework or organization to ensure that their oversight burdens are not overbearing on the private sector itself.19 The new National Risk Management Center at DHS, announced in July 2018, may begin to address this problem, but it could also serve as another layer obfuscating and complicating cybersecurity oversight.20

It is clear that the existing landscape is cumbersome, as the private sector must keep track of multiple laws and executive orders, three departments, and around a dozen separate agencies. Even as DHS and DOE seek to ensure that they are not wasting resources among themselves, it is not clear what de conflicting mechanisms, if any, they use to ensure that their legally enforced regulations are not duplicative. As if that wasn’t enough, Congress has faced a series of bills which could further increase the regulatory burden.

18 https://www.energy.gov/sites/prod/files/2018/07/f53/EXEC 2018 003700%20DOE%20Cybersecurity%20Strategy%202018 2020 Final FINAL c2.pdf 19 https://www.dhs.gov/news/2018/11/14/written testimony nppd house homeland security subcommittee cybersecurity 20 https://www.cyberscoop.com/dhs risk management center/ 21 https://www.congress.gov/bill/115th congress/house bill/5175/text 22 https://www.congress.gov/bill/115th congress/house bill/5239 23 https://www.congress.gov/bill/115th congress/house bill/5240/

IV. Proposed Legislation Given that cybersecurity can garner support on both sides of the aisle, it’s a popular issue to address with legislation. However, much of the legislation seems to be solutions in search of a problem, especially as some bills are reintroduced every session.

While the 116 h Congress will have different priorities and political stances, given the Democratic majority in the House, three cybersecurity focused bills passed committees in the 115 h Congress, and have already been reintroduced in 2019. If these bills gain traction this session, they would further alter the cyber regulatory environment for the energy sector:

• Pipeline and Liquefied Natural Gas Facility Cybersecurity Preparedness Act (115th Congress) [Now HR 370 116 h Congress]21

Requires the Secretary of Energy “carry out a program relating to physical security and cybersecurity for pipelines and liquefied natural gas facilities.” This bill has been introduced in both Chambers during the 116 h Congress.

• Cyber Sense Act of 2018 (115th Congress) [Now HR 360 116 h Congress]22

The Bill “requires the Department of Energy to establish a voluntary Cyber Sense program to identify and promote cyber secure products intended for use in the bulk power system.”

• Enhancing Grid Security through Public-Private Partnerships Act of 2018 (115th Congress) [Now HR 359 116 h Congress]23

This Bill would “provide for certain programs and developments in the Department of Energy concerning the cybersecurity and vulnerabilities of, and physical threats to, the electric grid, and for other purposes.”

9

Overall, these bills are vaguely worded and aim to enforce policies which are already being enforced. While well intentioned, the bills would only create a greater regulatory burden upon the private sector that administers some of our key critical infrastructure. By creating new levels of bureaucracy, laws like these further complicates the framework addressing cybersecurity, to which energy companies are beholden. While Congress clearly wants to keep up with the evolving cybersecurity threat environment, it is unclear how new legislation would achieve this, or how it would avoid enforcing rigidity among energy companies attempting to protect themselves from cyber intrusion in the first place.

24 https://ongisac.org/ 25 https://internetpolicy.mit.edu/reports/Report IPRI CIS CriticalInfrastructure 2017 Brenner.pdf26 https://subscriber.politicopro.com/cybersecurity/whiteboard/2018/11/dhs official says regulation not the solution to cyber woes 2178943

V. The Complexity of Cybersecurity Oversight Cybersecurity is an issue of growing significance in Washington, and for good reason. However, existing cybersecurity oversight functions are complex, confusing, and duplicative. Before passing any new laws regarding regulation, there needs to be a thorough analysis of the current system, and the impact any new legislation would have on the firms operating our nation’s critical infrastructure. New legislation could make energy companies less flexible and reduce innovation, thereby creating a dangerous situation for the constantly changing cyber environment.

The energy sector has proven adept at implementing voluntary best practices in the cybersecurity field. The oil and natural gas sector, with DHS, developed the Oil and Natural Gas Information Sharing and Analysis Center (ONG ISAC) which allows companies in the industry to share information about threats and best practices to defend themselves from a cyber attack.24 Furthermore, a report from MIT cited one company that was a member of 12 information sharing networks, and others mentioned that more information sharing was unnecessary, especially given the current programs already in place.25 Considering the energy sector’s willingness to act before required, it could prove counterproductive for Congress to push through further legislation without rationalizing what is already on the books. Tellingly, Assistant Secretary Manfra, stated in November in November: “I don’t think a regulatory framework is going to solve this particular challenge.”26 Rather, the speed and complexity of the changing cybersecurity environment entreat the government to allow the private sector flexibility in facing the threats they face every day.

Existing cybersecurity regulation for critical infrastructure is already substantial, and layering more legislation without consideration of the other facets of the cyber defense structure make for a regulatory minefield that companies have little hope of successfully navigating.”

“

10

According to a recent study conducted by the French Institute of Foreign Relations (IFRI), the United States is more advanced than the European Union in terms of establishing both regulations and norms regarding cybersecurity.27 Even with the new General Data Protection Regulation and other oversight efforts in Europe, the United States continues to outpace other intensive regimes in the world in terms of cybersecurity, favoring “strict” policies which are enforced by “institutions possessing coercive powers.”28 The report goes on to state that the American model is more complicated than that of even the European Union in “terms of the development of precise and detailed norms on cybersecurity, as well as for the implementation of these norms.”29 This report further demonstrates the crowded and complex environment facing the energy industry as they seek to implement top tier cybersecurity programs, especially in comparison to the EU, which is known as a leader in strict cybersecurity and privacy regulations. The federal government should focus on reducing the complexity of cybersecurity oversight and authorities facing critical infrastructure industries, and allow industry to remain nimble and able to react to threats instead of adding duplicative and restrictive laws on top of existing rules.

27 https://www.ifri.org/sites/default/files/atoms/files/barichella cybersecurity energy sector 2018.pdf 28 Ibid29 Ibid

VI. ConclusionAs clearly demonstrated, the current cybersecurity oversight and regulatory environment facing critical infrastructure, but especially the energy, and oil and natural gas industries, is thoroughly complex. However, throughout the complexity, the voluntary guidelines show that regulation is not always the solution for greater cybersecurity. While there may be improvements to be made to implement the best practices, the good news is that there are readily available tools, such as the Center for Internet Studies Controls, which are step by step processes that implement the NIST Cybersecurity Framework. Before any additional legislation can be put into place, House and Senate Committees on Homeland Security should request a full study of current authorities, regulations, and the oversight structure to determine the efficacy of current programs. Furthermore, the White House should reinstitute the Senior Advisor for Cybersecurity, thus signaling a true commitment to cybersecurity and improving coordination across the federal government.

Critical infrastructure sectors, including the energy, financial services, communications, and others, have vested interests in ensuring that their assets are secure from both physical and cyber attacks, which is why many in critical infrastructure are leaders in cyber preparedness. The liquefied natural gas industry is a prime example of leadership in cybersecurity preparedness and prevention. Critical infrastructure sectors are acutely aware of the public outcry, financial loss, and increased oversight that would follow a catastrophic cyber breach. As such, it is critical to provide industry the flexibility to protect itself from cyber attacks.

The liquefied natural gas industry is a prime example of leadership in cybersecurity preparedness and prevention. Critical infrastructure sectors are acutely aware of the public outcry, financial loss, and increased oversight that would follow a catastrophic cyber breach.”

“