Security and Resilience (Cyber and Physical)

APPA Voices Concerns About Redundant Cyber Incident Reporting Bill

The House Energy and Commerce Committee’s Subcommittee on Energy, Climate, and Grid Security in late February approved a bill that would set up redundant cyber incident reporting mandates.

The American Public Power Association believes the bill, H.R. 1160, the Critical Electric Infrastructure Cybersecurity Incident Reporting Act, would create significant confusion, as well as impose a significant burden on public power utilities with little, if any, security benefits. The bill is sponsored by Representatives Tim Walberg (R-MI) and Kim Schrier (D-WA).

H.R. 1160 would define the Department of Energy as the designated agency within the federal government to receive notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure from other federal agencies and owners, operators, and users of critical electric infrastructure.

Owners, operators, and users of critical electric infrastructure (including federal agencies, such as the Power Marketing Administrations) would be required to report cybersecurity incidents and potential cybersecurity incidents to DOE within 24 hours of discovery. DOE would be directed to, within 240 days of enactment, promulgate regulations to facilitate the submission of notifications regarding cybersecurity incidents and potential cybersecurity incidents. 

In a Feb. 26 letter to lawmakers, Desmarie Waterhouse, Senior Vice President of Advocacy and Communications & General Counsel at APPA, detailed APPA’s concerns with H.R. 1160.

She said it is not clear how this legislation would work with existing cybersecurity incident reporting requirements, such as what is required through the North American Electric Reliability Corporation, or with pending cybersecurity incident reporting requirements, such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  

CIRCIA directs the Cybersecurity and Infrastructure Security Agency to work with sector risk management agencies (DOE, in the electric utility industry’s space) to harmonize implementation of the law with existing reporting requirements.

“APPA believes that task will be a significant undertaking and enactment of this legislation would create great confusion,” wrote Waterhouse.

CIRCIA says that covered entities that report “substantially similar information” within a “substantially similar timeframe” to another federal agency can be exempted from reporting directly to CISA provided that the federal agency has an “agency agreement and sharing mechanism in place” with CISA.

APPA believes that DOE should prioritize getting the legal agreements and technology in place that would allow electric utilities to report incidents directly to DOE (or NERC/FERC) and have that reporting count as fulfilling our reporting obligations under CIRCIA. This would benefit DOE without setting up a separate process as this bill envisions, Waterhouse said.

 Defining what constitutes a “potential cybersecurity incident” is “deceptively difficult – it is subjective and highly dependent on the situation and assets involved,” wrote Waterhouse.

Such mandated reporting of “potential incidents,” especially with a 24-hour reporting window, would likely result in utilities overreporting, making it difficult if not to impossible to get a meaningful signal through the noise.

“For example, one large APPA member says that it blocks roughly one million attempts to connect to internal networks on any given day. Each of these one million attempts could fall into the ‘potential cybersecurity incident’ definition. But none of these attempts were successful, nor were they targeted, which negates the usefulness of reporting,” the letter notes.

In addition, critical electric infrastructure is defined in the 2015 FAST Act as “a system or asset of the bulk power system, whether physical or virtual, the incapacity or destruction of which would negatively affect national security, economic security, public health or safety, or any combination of such matters.”

“This is a broad definition. No list exists of CEI and this legislation does not offer any guidance as to who would determine what constitutes CEI -- would DOE have to create one to figure out who is covered by this law or would utilities have to self-designate? Each of these possibilities comes with a host of issues,” wrote Waterhouse.

APPA is urging member utilities that have members of Congress who sit on the full Energy & Commerce Committee to reach out to those lawmakers immediately to flag concerns with this legislation and to share APPA’s letter.