Choose Site
FERC, CFTC, and State Energy Law Developments
As has been reported, a recent ransomware attack has caused an interstate pipeline and fuel supplier to much of the eastern United States to shut down its operations. Although the attack did not compromise operational systems, the company opted to cease operations as a precautionary measure.
FERC approved revisions to three Critical Infrastructure Protection (CIP) North American Electric Reliability Corporation (NERC) Reliability Standards to expand the scope of the assets subject to supply chain cybersecurity requirements and related obligations. Supply chain cybersecurity continues to be a focus of NERC, energy industry stakeholders, and government regulatory and securities agencies.
President Joe Biden signed an executive order on February 24 to address possible vulnerabilities in the supply chains of critical national economic sectors, including the energy sector. The executive order directs various executive departments and agencies to complete, in coordination with private stakeholders, a series of assessments to evaluate the resiliency of supply chains in those key sectors. In his prepared remarks, President Biden explained that the order was prompted partly by concerns surrounding shortages in semiconductors, which are vital components of electronic devices used in everything from mobile phones to motor vehicles.
In May 2020, US President Donald Trump issued Executive Order 13920, banning the unrestricted import or use of certain categories of bulk-power system electric equipment from foreign adversaries, with a focus on Russian and Chinese equipment suppliers. The future of that regulation is now up in the air.
The US Congress adopted extensive federal energy policies in the Energy Act of 2020 (Energy Act), which President Donald Trump signed into law on December 27 as part of the Consolidated Appropriations Act, 2021.
At its December open meeting, FERC proposed to establish rules for incentive-based rate treatments for voluntary cybersecurity investments by a public utility.
The secretary of the US Department of Energy (DOE) issued an order on December 17 prohibiting electric utilities from installing equipment or components provided by Chinese companies in electric facilities serving designated “Critical Defense Facilities.” Relying on authority from Executive Order 13920 on Securing the United States Bulk-Power System, the order identified threats to the electric supply chain from China and concluded that prohibiting Chinese equipment in these sensitive facilities is necessary to respond to the Chinese government’s plans to undermine the bulk-power system.
Following significant pushback from the regulated community, FERC and NERC Staff jointly announced in a new white paper that filings and other submissions to FERC describing violations of cybersecurity reliability standards would be entirely nonpublic. Under the revised approach, all cybersecurity noncompliance information will be considered CEII and not disclosed in response to FOIA requests.
At its June 18 open meeting, FERC issued a notice of inquiry seeking public input on cybersecurity-related enhancements to the Critical Infrastructure Protection (CIP) reliability standards. In light of the constantly evolving nature of cybersecurity threats to the bulk power system, FERC is interested in determining whether the current CIP standards adequately address specific cyberrisk areas related to data security and cybersecurity incident detection, containment, and mitigation.

President Donald Trump signed an executive order on May 1 declaring that the use of bulk-power system equipment supplied by companies controlled by certain foreign nations poses an extraordinary threat to the US power grid. The order observes that the bulk-power system is a valuable target for malicious actors, and any attack on that system could pose serious risks to the economy, public health and safety, and national security.