Senate Energy Comm. Ponders Change in Cybersecurity Authorities

DOE's Office of Cyber Security, Energy Security and Emergency Response Director Puesh Kumar testifying Thursday. | Senate ENR

Mar 23, 2023

Senators discussed new bills that would give FERC authority over gas pipeline cybersecurity and change how DOE handles cyber threats.

FERC should get authority over the cybersecurity of natural gas pipelines, lawmakers said at a hearing of the Senate’s Energy and Natural Resources Committee on Thursday.

“I want to work with the committee and the chairman and ranking member to introduce legislation that will give FERC this very clear role,” said Sen. Maria Cantwell (D-Wash.).

“I think that’s what needs to be done” to protect pipelines from cybersecurity attacks, she added.

Cantwell has not officially introduced the legislation, according to Congress’ legislation tracker.

Sen. Angus King (I-Maine) noted that even if the New England grid had perfect cybersecurity, power could still be knocked out by a cyberattack focused on the pipelines that flow into the region. The Transportation Security Administration currently oversees cybersecurity for pipelines.

“So, it bothers me that we’ve got TSA over here and FERC over here, and I’m not sure there’s a consistent regulatory… structure,” King said.

Sen. Joe Manchin presiding over Thursday’s hearing | Senate ENR

“Trying to fix that, sir,” Committee Chairman Joe Manchin (D-W. Va.) chimed in before King could finish his sentence.

King said he’s worried that with authority split over two highly connected energy systems’ security, something could fall through the cracks.

FERC has been regulating cybersecurity on the electric side for a decade and the gas network needs to be just as reliable as the grid, said Stephen Swick, chief security officer at American Electric Power (NASDAQ: AEP).

“Now we’ve got regulations and a lot of pressure on the gas pipelines, but it should be standardized,” Swick said. “And if FERC can lead that, then I think they’ll line up well and we can have the same progress for both industries.”

Dragos CEO Robert Lee said his firm has worked with the power sector on cybersecurity as a vendor and that both industries should ideally have the same regulator.

“I would say that FERC is a very logical choice,” Lee said. “I don’t really particularly care which one takes it so long as it’s one.”

TSA’s first attempt at regulating pipelines was rushed, but the agency has since worked hard and improved its rules, Lee said, adding the issue would benefit from increased standardization under one agency.

Bills Would Change DOE’s Cybersecurity Functions

Other legislation discussed at the hearing would impact the Department of Energy, with Manchin and Sen. Jim Risch (R-Idaho) introducing the “Energy Threat Analysis Center Act of 2023,” which seeks to improve information sharing between the government and private industry.

“This legislation will empower the DOE to coordinate with the private sector on critical information sharing and risk assessments to help protect our great nation against cyber threats,” Manchin said.

Ranking Member John Barrasso (R-Wyo.) introduced S 2302 to elevate the head of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) back to the assistant secretary level.

“China and Russia threaten our nation’s cybersecurity. Our energy grid and pipeline network are too important to be left vulnerable to attacks by such hostile nations or rogue actors,” Barrasso said. “The Department of Energy plays a critical role. The department needs a Senate-confirmed head of its cyber office to help counter these threats.”

CESER Director Puesh Kumar thanked Barrasso for his continued support for the office at the hearing yesterday.

“This is the mission that brought me back from the private sector to come down and lead this,” Kumar said. “It was too important to not do it. I will defer to the president and Congress on the title of that position. But I can confidently tell you that I have access to the department’s resources and leaders to accomplish this mission.”

Lee praised Kumar and said the position should have stayed at the assistant secretary level.

“It’s caused him to be sidelined at some meetings, and titles matter in government, whether we like it or not,” Lee added.

Senators Seek Answers on Chinese Components

The supply chain and its impact on cybersecurity was an issue for Sen. Josh Hawley (R-Mo.), who asked Kumar how many components manufactured by China were in the transmission grid.

Kumar did not provide any firm numbers, saying the department is working to understand just how much equipment made in China is on the grid.

“The hard part about some of these questions is, you know, at the top level, it could be [that] it looks like an American manufacturer or friendly country,” Kumar said. “That’s why when you go down to the sub-component level is where it gets a lot harder. So, our focus is really looking at all of that equipment, and we’re now doing that analysis.”

Hawley complained about the lack of specifics in Kumar’s answer and said he wanted some actual numbers to be supplied by DOE in response to a written question he plans to submit. King said he also wants to see more firm data on Chinese components.

“This rarely happens with me, but I want to associate myself with the questions of Senator Hawley,” King said. “I think determining the Chinese-origin content of crucial parts of the electric system, whether it’s SCADA systems, transformers, wherever, is a ‘hair on fire’ urgent matter. Next time you’re here, we need a much sharper answer to that because that’s an enormous opportunity for malicious activity.”

FERC & Federal