Security and Resilience (Cyber and Physical)

Groups Outline Concerns with Mandatory Cyber Incident Reporting Legislation Under Consideration

The American Public Power Association (APPA) and the National Rural Electric Cooperative Association (NRECA) do not support including electric utilities in mandatory cyber incident reporting legislation currently under discussion in Congress because the legislation treats all critical infrastructure entities as equally impactful to national security and puts the onus on the critical infrastructure entity to share information with multiple government agencies.

Joy Ditto, President and CEO of APPA, and Jim Matheson, CEO of NRECA, outlined the concerns of the associations in an Aug. 30 letter to a number of key lawmakers in the House and Senate.

“We are writing to you regarding several introduced and draft bills that would mandate critical infrastructure sectors to report ‘cyber incidents’ to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA),” Ditto and Matheson wrote.

“We believe that the incident reporting mandates currently under discussion would burden electric utilities -- especially smaller public power and cooperative utilities -- with increased administrative tasks that will not materially increase their, or the country’s, cybersecurity posture, but would likely divert limited resources away from securing and defending systems,” Ditto and Matheson said.

They said that electric utilities “take very seriously their responsibility to maintain a secure and reliable electric grid. It is the only critical infrastructure sector that has mandatory and enforceable federal regulatory standards in place for cyber and physical security (collectively known as grid security).”

These standards include mandatory reporting of specific cyber incidents to the Department of Energy (DOE) via an Electric Emergency Incident and Disturbance Report (OE-417) and to the North American Electric Reliability Corporation and the Federal Energy Regulatory Commission, the letter pointed out.

Outside of these mandatory reporting standards, all electric utilities, including public power utilities and rural electric cooperatives, participate in robust voluntary information sharing systems such as the Electric Subsector Coordinating Council and the Electricity Information Sharing and Analysis Center, as well as the Multi-State Information and Sharing Analysis Center for public power, Ditto and Matheson said.

Most recently, electric utilities have worked closely with the National Security Council, DOE, and DHS on the “100 Day Electric Sector Industrial Control Systems Cybersecurity Sprint” to encourage and support utilities’ visibility and monitoring of their industrial control system and operational technology networks, as well as automated sharing into government. “It is not clear how these bills would impact these existing voluntary channels or existing or planned machine-to-machine sharing,” wrote Ditto and Matheson.

The biggest concerns of APPA and NRECA with the various versions of incident reporting legislation currently under discussion can be grouped into two broad categories.

First, the legislation “treats all critical infrastructure entities as equally impactful to national security -- there is no accounting for the wildly differing risk profiles of an electric utility serving millions of customers and a small distribution electric utility without an industrial control system [a type of operational technology] serving 250 customers.”

Second, the legislation “puts the onus on the critical infrastructure entity to share information with multiple government agencies, instead of encouraging and facilitating the sharing of information between and among agencies.”

While those are the two most significant concerns, “we are also concerned that some proposals include heavy financial fines for failure to report within a very short time period,” Ditto and Matheson told the lawmakers. “All of our members must be able to focus on the matter at hand in the event of a breach and should be given the flexibility to report once the crisis is understood and being managed. There has also been little discussion on how mandatory reporting requirements would impact long existing and robust voluntary information sharing systems nor on what the government’s responsibility is in terms of actionable information sharing and support.”  

If Congress chooses to enact broad mandatory cyber incident reporting legislation for critical infrastructure, Ditto and Matheson said that they agree with the principles laid out in an August 27 letter lead by the Information Technology Industry Council (ITI) and endorsed by numerous other critical infrastructure sector entities and associations. 

In that letter, ITI and the other entities and associations said that in order to ensure an effective incident reporting regime that leverages the limited resources of federal agencies, enables regulatory compliance, provides liability protections, and advances national cybersecurity interests, policymakers in Congress should, at a minimum, follow five key principles:

  • Establish feasible reporting timelines of no less than 72 hours
  • Limit reporting regulations to verified incidents and intrusions
  • Limit reporting obligations to the victim organization, rather than third-party vendors or providers
  • Harmonize federal cybersecurity incident reporting requirements
  • Ensure confidentiality and nondisclosure of incident information provided to the government