Federal lawmakers urge DOE to maintain authority over cybersecurity for energy sector
A group of Congress members is urging the leadership of the Department of Energy to ensure that the agency remains the lead cybersecurity agency for the energy sector.
In a letter to Energy Secretary Jennifer Granholm, the lawmakers stressed the importance of energy sector and Federal government coordination in responding to cyber threats to energy infrastructure. They also urged Granholm to ensure that the Federal government does not impose duplicative cyber incident reporting requirements on the sector.
The letter was signed by U.S. Sens. Joe Manchin (D-WV) and John Barrasso (R-WY), along with U.S. Reps. Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA). Manchin and Barrasso serve as chair and ranking member, respectively, of the Senate Energy and Natural Resources Committee. Pallone and McMorris Rodgers serve as chair and ranking member, respectively, of the House Energy and Commerce Committee.
The inquiry follows the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as part of the Consolidated Appropriations Act of 2022. The Act establishes mandatory cyber intrusion reporting requirements for critical infrastructure companies, including companies in the energy sector. Further, it assigns responsibility for implementation to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
“Given the increase of cyberattacks on energy infrastructure, the ability to consolidate and share that information within the federal government to rapidly respond is vital. However, while the Act spells out CISA’s new obligations, DOE remains the lead agency for energy sector cybersecurity as established by law. As cyber threats increase, it is urgent that DOE fulfill its duty as the lead agency. DOE’s energy sector expertise and well-established partnerships with industry are critical in managing risk in today’s threat environment. We fully expect that DOE will discharge its lead cybersecurity and emergency response efforts for the energy sector in close coordination with DHS as it has done for years,” they wrote to Granholm.
Prior to the passage of the bill, energy companies were required to report certain cyber incidents to DOE, the Federal Energy Regulatory Commission (FERC), state and local agencies, and the North American Electric Reliability Corporation (NERC).
“As CISA develops a rulemaking for reporting requirements under the Act, we ask you to work to maintain DOE’s role as the SRMA for the energy sector, as required by law. Further, we ask that you urge the Secretary of Homeland Security and other federal agencies to harmonize existing cyber incident reporting requirements for the energy sector with CISA’s forthcoming reporting requirements in order to provide clarity and consistency,” the lawmakers added.
