The Executive Order on Cybersecurity and the Energy Industry
On February 12, 2013, the President issued an Executive Order (EO) and an accompanying Presidential Policy Directive, PPD-21(PPD). The EO requires improved cybersecurity information sharing between the federal government and the owners and operators of critical infrastructure (the vital systems and assets) and the development by the federal government of standards to reduce cyber risks to critical infrastructure. Under the PPD, the critical infrastructure-related functions, roles, and responsibilities across the federal government for implementing the EO are delineated. The PPD identifies 16 critical infrastructure sectors (including energy) and designates the Sector-Specific Agencies responsible for each sector. Given that the electric utility industry is currently subject to mandatory cybersecurity standards, attention should be given to the EO and how it is implemented.
To improve information sharing, the EO requires the Secretary of Homeland Security to ensure the production of unclassified reports of cyber threats to the U.S., as well as the dissemination of classified reports to the owners or operators of critical infrastructure authorized to receive them. The Secretary is also directed to expand a voluntary information sharing program to provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure. The Secretary is also directed to expedite the processing of security clearances to personnel employed by critical infrastructure owners and operators.
In terms of standards, the National Institute of Standards and Technology will lead the development of a Cybersecurity Framework, which will incorporate voluntary consensus standards and industry best practices to the fullest extent possible. A voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities will be established, which will include incentives designed to promote participation in the Framework. And each agency with responsibility for regulating the security of critical infrastructure (the Sector-Specific Agency) will determine whether it has authority to establish requirements based on the Framework and, if such authority is insufficient, the agency shall propose actions to mitigate cyber risk. The Department of Energy is the Sector-Specific Agency for energy.
For more information about the Executive Order or to discuss the issues it may raise for the energy industry, contact Bonnie Suchman.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result. Follow Troutman Sanders on Twitter.