FERC, CFTC, and State Energy Law Developments

The US Government Accountability Office (GAO) issued a report on December 18, 2018, identifying significant weaknesses in the Department of Homeland Security’s (DHS) Transportation Security Administration’s (TSA) Pipeline Security Program management and recommending improvements to address those weaknesses. The report was driven by a recognition that “pipelines increasingly rely on sophisticated networked computerized systems and electronic data, which are vulnerable to cyber attack or intrusion,” and that “new threats to the nation’s pipeline systems have evolved to include sabotage by environmental activists and cyber attack or intrusion by nations.”

A new report by the National Infrastructure Advisory Council (NIAC) concludes that the nation is not prepared to adequately respond to a catastrophic power outage. The NIAC is a special advisory council composed of representatives from private industry, state and local government, and academia that is tasked with providing the president with advice on issues facing the nation’s 16 federally designated critical infrastructure sectors. The NIAC issued the report after it was tasked with examining the nation’s ability to respond to and recover from a “catastrophic power outage of a magnitude beyond modern experience, exceeding prior events in severity, scale, duration, and consequence.” The NIAC generally considers these to be limited- or no-notice events with a long duration (i.e., lasting weeks or months due to damage) impacting a broad geographic area (e.g., multiple states and affecting tens of millions of people) that could be further complicated by a cyber or physical attack.

Central to the NIAC’s report is examining the extent to which a catastrophic power outage that causes a failure in one critical infrastructure sector could lead to severe cascading impacts and force other critical sectors to operate in a degraded state for an extended period of time. The report reflects the NIAC’s view that, while the roles and responsibilities for emergency authorities are understood generally, the actual implementation of roles and responsibilities in response to a catastrophic power outage (e.g., cyber and physical attacks and larger-scale disasters) is still very much unclear. In this regard, the report stresses the importance of strong federal leadership in responding to and recovering from large-scale emergencies.

American national security officials believe that spies working on behalf of an adversarial nation-state successfully carried out an attack against US companies by compromising a key hardware supply chain, according to a report issued October 4 by Bloomberg Businessweek. The report details how the attackers implemented a “seeding” attack by installing tiny, malicious microchips on motherboards—a type of computer circuit board that houses processing and other essential components—that were assembled in Chinese factories. The exploit apparently had a ripple effect, as the compromised motherboards were ultimately installed in commercial servers that are widely distributed in the United States. One official estimates that the attack affected almost 30 companies, including a major bank and government contractors, and may have enabled the attackers to communicate with or infiltrate the sabotaged servers.

The Nuclear Regulatory Commission (NRC) and the Federal Energy Regulatory Commission (FERC) entered into a Memorandum of Understanding (MOU) on June 6 regarding the care and protection of critical energy/electric infrastructure information (CEII). The MOU delineates how the two agencies will cooperate to identify, process, and protect CEII that the NRC holds, explaining that the two independent agencies “mutually agree that it is important to protect CEII to ensure the safety and security of the electric grid.” Under the MOU, the NRC will be able to consult with FERC to designate certain NRC-held information as CEII—and therefore FOIA-exempt—if requested by a third-party under that open records law.

The MOU is another step in the US government’s attempt to address growing concerns about physical and cybersecurity threats to the electricity grid. Congress, recognizing these threats, directed the US Department of Energy and FERC to identify and protect CEII when it passed the “Fixing America’s Surface Transportation Act” (FAST Act) in 2015. FERC issued its CEII regulations in late 2016.