Cybersecurity Top Concern at DOE Budget Hearing

Granholm Says Congress Could Consider New Security, Reliability Standards for Pipelines

May 20, 2021

Wednesday’s hearing before the House Energy and Commerce Subcommittee on Energy focused on the recent Colonial Pipeline cyberattack.

Wednesday’s hearing before the House Energy and Commerce Subcommittee on Energy was nominally about the Department of Energy’s 2022 budget request for $46.2 billion.

But the issue clearly top of mind for many representatives and Secretary of Energy Jennifer Granholm, the hearing’s sole witness, was the recent Colonial Pipeline cyberattack and what actions will be needed to shore up U.S. cybersecurity.

DOE cybersecurity — Secretary of Energy Jennifer Granholm | *DOE*

The pipeline hack “was really a stark reminder of the imperative to harden the nation’s critical infrastructure against these serious and growing threats like ransomware,” Granholm said in her opening statement. “And in the face of an evolving array of 21st-century risks, we have to rethink our approach to security and to reassess the authorities that we can bring to bear.”

The full Energy and Commerce Committee already had responded to the attack — and resulting gasoline shortages — with a spate of bipartisan legislation, announced May 12.

Rep. Bobby L. Rush (D-Ill.), subcommittee chair, talked up the Pipeline and LNG Facility Cybersecurity Preparedness Act (H.R. 3078) he and Rep. Fred Upton (R-Mich.) had re-introduced in the House. Originally introduced in 2019, the legislation would, Rush said, “further strengthen DOE’s ability to respond to physical and cybersecurity threats.”

Under the Energy Emergency Leadership Act (H.R. 3119), sponsored by Rush and Rep. Tim Walberg (R-Mich.), responding to energy emergencies and cybersecurity threats would be elevated as a core function for DOE. The bill is another retread, in this case from 2020.

But Rep. Frank Pallone (D-NJ), who chairs the Energy and Commerce Committee, believes more rigorous regulatory action may be needed, similar to the electric industry’s reliability standards developed by NERC and FERC. “No similar rigorous programs exist for pipelines, just a set of voluntary guidelines overseen by [the Transportation Security Administration], and this is a big gap,” Pallone said. “I believe it’s time to consider mandatory, enforceable reliability standards for our nation’s pipeline network.”

At the same time, Republicans such as Rep. Cathy McMorris Rodgers (R-Wash.), ranking member of the committee, framed the gas supply shortage as “a harsh reminder of how important reliable supplies of fuels are for America. It’s a reminder of how critical pipelines are for clean, efficient, secure delivery of the energy people and our economy need to thrive,” she said.

Biden’s “rush-to-green agenda” is a distraction, undermining DOE’s core mission to ensure energy security, Rodgers said.

Building in Cybersecurity

Responding to questions from Rush and Pallone about what Congress can do to further support the DOE on cybersecurity, Granholm pointed first to President Biden’s recent executive order on the issue. Specific provisions include a requirement for information technology providers serving the federal government to share information on any system breach, and an “Energy Star” type pilot program to help identify software that has been developed securely, she said.

The executive order provides “a good signal to industry on what we at the federal level will purchase and use, and therefore may also be guidance for how we might think more broadly,” Granholm said.

She also pointed to efforts to beef up the DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER), with the appointment of a new acting director, Puesh M. Kumar, formerly principal manager for cybersecurity engineering and risk management at Southern California Edison.

“CESER has been working on secure manufacturing and innovation, working with our Office of Fossil Energy to ensure cybersecurity is built into new technologies to support the next generation of oil and natural gas infrastructure and systems,” she said.

Upton also asked if Congress should enact a “minimum standard for critical energy infrastructure” to help prevent future cyberattacks.

“If we had standards in place, would this particular ransomware attack have been able to happen? I’m not 100% sure,” Granholm said. “I do know that having good cyber hygiene, on the private side as well as on the public side, is a critical basic defense, especially for critical services like energy. I think it’s an important consideration for this committee.”

Upton then pressed her on permitting reform and the Democratic climate agenda, which, he said, “would essentially shut down oil and gas production and new pipelines.” Granholm quickly pivoted to transmission.

“We’ve seen so much lag time and so many hoops that have to be jumped through to get critical infrastructure in the ground,” Granholm said, pointing to hundreds of gigawatts of clean energy in transmission queues across the country. “We need to update government processes to make sure that we still protect what we intended to protect in the first place.”

Back to the Budget

Granholm also took some heat, again from Rodgers, on the lack of detail on budget figures in her written testimony for the hearing, and dodged the Republican’s request for a study on the impact of Biden’s climate plan on electric system reliability and consumer energy bills.

The figures available in Granholm’s statement include $1.9 billion for DOE’s Building Clean Energy Projects and Workforce Initiative. Another $8 billion is earmarked for clean energy innovation, and $7.4 billion will go to the Office of Science to increase understanding of climate change and develop new materials and concepts for clean energy technologies of the future. (See Granholm Lays Out DOE’s $46.2 Billion Budget.)

Other highlights include:

Increased funding for a “revitalized Office of Fossil Energy and Carbon Management” that will help advance “technologies and methods such as carbon capture and storage, hydrogen and direct air capture.”
Enhanced research funding for historically black colleges and universities and minority-serving institutions to help build labs and upgrade computer systems, while also creating opportunities for students to develop careers in science, technology, engineering and math.
Funding for DOE programs that “support fossil fuel workers translating their skills to new positions in various areas, from extracting critical minerals from coal mine sites and upgrading pipelines to reduce methane to building carbon capture and hydrogen systems on existing industrial and power plant facilities.”

The question of whether the Colonial Pipeline cyberattack will lead to the passage of bipartisan legislation is, in a sharply divided Congress, uncertain, leaving some — like Rep. Jerry McNerney (D-Calif.) — understandably frustrated.

“During the pipeline shutdown many Americans were waiting in long lines for gasoline, referring to this as a wake-up call to the cybersecurity vulnerabilities in our system,” McNerney said. “Each time an incident like this occurs, it’s called a wake-up call. How many wake-up calls is it going to take for us to get this right?”

FERC & Federal Public Policy

KeywordsU.S. Department of Energy (DOE)